I will shortly describe the -R and -L options of ssh which are used to forward arbitrary ports over a secure connection between machines over the internet.
Suppose you have a computer (let's call it Alice) that is heavily firewalled and NATed so that it cannot be reached directly from the outside. To the outside, all its traffic appears to come from the firewall. Suppose further you want to reach this "hidden" machine anyway from outside, e.g. via ssh from "Bob" to log in to Alice and do stuff. What you can do to resolve this, is to tell Alice to forward its ssh-port (number 22 usually) to Bob.
To to this, you use the -R option ("R" for Remote Forward) from Alice:
ssh -R6789:localhost:22 Bob
Now, Alice's ssh-port is available at Bob's port 6789 (the number is arbitrary, of course) so now Alice can be reached from Bob with
ssh -p 6789 localhost
Figure 1 illustrates this:
Now suppose you rather would access Alice from the machine "Max" instead of Bob and have no possibility to physically go to Alice and tell her to do the same as above. You already know how to do it: tell Bob to forward its port 6789 to Max as Figure 2 shows:
But there is another way to do it involving the -L option. Max by himself can make his port 6789 listen at Bob's port 6789 using:
ssh -L6789:localhost:6789 Bob
and then again, Alice is reachable at Max's port 6789 as Figure 3 shows.
Note that in both cases the traffic from Max to Alice (and vice versa) physically goes via Bob as the tunnels are built this way. If this detour is not wanted, it can still be used to reach Alice and make her create an own tunnel to Max...
Of course there are much greater possibilites than just forwarding the ssh-port, think of webservers etc. But I am sure you can figure out them by yourself... Have fun!
tom tweeted "Wondering what's wrong with SELECT p.fuv_flux INTO mydb.fluxes FROM PhotoObjAll p WHERE p.objid IN (SELECT m.matched_id FROM mydb.matches m)" 8:20em# tom tweeted "Why would anyone voluntarily use Jy in the UV anyway??" 8:19em# tom tweeted "Getting confused as always when converting microJansky (at a certain wavelength) to solar luminosities." 8:17em# tom tweeted "Me like the new version of hugin. http://hugin.sourceforge.net/" 8:14em# tom tweeted "I see 28 wireless networks at the place I live. Anyone beat that?" 11:26em# tom tweeted "@maltesk det är förresten bra med synpunkter föstås :-)" 6:52em# tom tweeted "@maltesk nu länkar bannern till startsidan, om det var det du menade. ska fixa lite mer där snart..." 6:40em# tom tweeted "@maltesk fattar inte vad du menar med videon :)" 6:35em# tom tweeted "Looking at http://tinyurl.com/6mudoc" 6:04em# tom tweeted "http://www.youtube.com/montypython Wow, I mean: Yay!" 2:19em# tom tweeted "Converted video to flash, using ffmpeg. Visible here: http://www.astronomi2009.se/trailer" 2:10em# tom tweeted "Verbinde TAE-Buchse mit RJ-14-Stecker mit Hilfe einer Lüsterklemme. Mein Router mit VoIP ist da und gleich ist mein altes Telefon am Netz." 7:16fm#
Svenska
Deutsch
English
Addendum
I always wondered why Max cannot access Alice via the tunnel 1 in Fig.1. After all, port 6789 is open on Bob and from Max one should be able to do "ssh -p 6789 Bob". But this never worked when I tried. The reason is, that ssh wants to be told explicitly that it shall make the port publicly available. This has to be done on the target side where the port is opened. This means that it is enough to use the -g option when using -L type forwarding. For -R type forwarding the entry "Gatewayports=yes" has to be added to the target machines /etc/ssh/sshd_config.
I have a question: in the
I have a question: in the first situation when Alice wants to forward her 22 port to Bob's 6789 port, shouldn't the call be mede from Bob as:
ssh -R22:localhost:6789 Alice
Regards,
Boti
Your illustrations are
Your illustrations are correct, but your text has a typo. The line that says ssh -R22:localhost:6789 Bob should read just the opposite: ssh -R6789:localhost:22 Bob
Otherwise, thanks for a clearly written and illustrated HOWTO on using tunneling with SSH!
Thanks for pointing that
Thanks for pointing that out. It is corrected now. Stupid me! :-)
/Tom
Say I'm work using the
Say I'm work using the company firewall.
During "lunch" I want to connect to my favorite MMPOG, if I understand this correctly then I would go out of y desktop like this.
ssh -R22:gameserver:gameport ??
Curious... also how would a sniffer see this, as shh traffic?
Skriv ny kommentar